PHP Encoders

Hi there !

I am curretly looking for suitbale solutions for encoding PHP scripts
after developing a couple of comercial applications in PHP.

Has anybody made any experience with several encoders like IONCUBE,
SOURCEGUARDIAN, ZEND, etc... so far?

I just tested an evaluation copy of IONCUBE's php encoder which worked
pretty fine. Runtime decoding is really fast and easy to implement.
Has anybody some deeper insight into this issue?

Thanks
Jerry

"Jerry" <eagleflyer2@lycos.com> wrote in message
news:cthkrv0aj0h0cu04g592rr6bhqfdn29kpk@4ax.com...
> Hi there !
>
> I am curretly looking for suitbale solutions for encoding PHP scripts
> after developing a couple of comercial applications in PHP.
>
> Has anybody made any experience with several encoders like IONCUBE,
> SOURCEGUARDIAN, ZEND, etc... so far?

You might consider
http://www.semdesigns.com/Products/O...bfuscator.html

> I just tested an evaluation copy of IONCUBE's php encoder which worked
> pretty fine. Runtime decoding is really fast and easy to implement.
> Has anybody some deeper insight into this issue?

Ours doesn't have any runtime decoder at all; no need to change
the target server at all. But folks might rightfully accuse us of being
biased since we
are a vendor. So I'll otherwise stay mum on the topic, and let
the community have its say.

-- IDB

Hi Ira:

Many thanks for your tip. In fact I already came across your website
once. Please feel free to comment as much as you like. I am thankful
for every little bit of info I could get. I will be frank with you:

I have always been a little bit reluctant to use obfuscators since the
source code does not actually disappear and it should not be too
difficult to find the correct patterns and algorythms to map and
restore the scrambled code. One could possibly write a good piece of
code that would do exactly that.

Instead the e.g. ioncube encoder really encodes the scripts and
requires only one file (the "runtime-loader") to be uploaded along
with the encrypted scripts onto the server to make the scripts
executable. Since the scripts run as a compiled application they are
even faster than unencrypted PHP scripts. So, this seems an
interesting alternative to me.
Costs: Your obfuscator costs US$150.00. The ioncube encoder starts at
US$199.00 Personally, I find it's worth the difference.

What is your take on that?
Thank you for your help and opinion.

Jerry

P.S. NO, I'm in no way affilated with ioncube. It's just the software
which I had a chance to test so far. :-)


On Tue, 18 Nov 2003 16:53:21 -0600, "Ira Baxter"
<idbaxter@semdesigns.com> wrote:

>
>"Jerry" <eagleflyer2@lycos.com> wrote in message
>news:cthkrv0aj0h0cu04g592rr6bhqfdn29kpk@4ax.com.. .
>> Hi there !
>>
>> I am curretly looking for suitbale solutions for encoding PHP scripts
>> after developing a couple of comercial applications in PHP.
>>
>> Has anybody made any experience with several encoders like IONCUBE,
>> SOURCEGUARDIAN, ZEND, etc... so far?
>
>You might consider
>http://www.semdesigns.com/Products/O...bfuscator.html
>
>> I just tested an evaluation copy of IONCUBE's php encoder which worked
>> pretty fine. Runtime decoding is really fast and easy to implement.
>> Has anybody some deeper insight into this issue?
>
>Ours doesn't have any runtime decoder at all; no need to change
>the target server at all. But folks might rightfully accuse us of being
>biased since we
>are a vendor. So I'll otherwise stay mum on the topic, and let
>the community have its say.
>
>-- IDB
>
>

Jerry wrote:
> I have always been a little bit reluctant to use obfuscators since the
> source code does not actually disappear and it should not be too
> difficult to find the correct patterns and algorythms to map and
> restore the scrambled code. One could possibly write a good piece of
> code that would do exactly that.

Same here. In fact, the first step for this process would be to use
something like:
http://www.tote-taste.de/X-Project/beautify/

Allowing the code to be easier to read and in a consistent format,
making it easier to write a script for the rest.

--
Justin Koivisto - spam@koivi.com
PHP POSTERS: Please use comp.lang.php for PHP related questions,
alt.php* groups are not recommended.

Jerry <eagleflyer2@lycos.com> wrote in message news:<cthkrv0aj0h0cu04g592rr6bhqfdn29kpk@4ax.com>. ..
> Hi there !
>
> I am curretly looking for suitbale solutions for encoding PHP scripts
> after developing a couple of comercial applications in PHP.
>
> Has anybody made any experience with several encoders like IONCUBE,
> SOURCEGUARDIAN, ZEND, etc... so far?

Did you try http://pobs.mywalhalla.net/ ?

---
"One who mix sports and patriotism is a barbarian"
Email: rrjanbiah-at-Y!com

Hi,
POBs is really good, but I have had some weird problems when encoding large
files, especially if you take out the line breaks in the options.
Another problem with POBS is that you can have your "config.php" file not
encoded with the rest of the files, since it changes your variables (eg
$email becomes something like $2d4g3a5sd) your $email variable is not
recognised in the rest of the program/s, which is quite a pain in the ass
explaining to a customer who just bought your software to enter the $email
variable in $2d4g3a5sd and their $blah variable in $234sdhk23 etc etc

I personally prefer CodeSecure from securecents.com at only 49$ but then,
i'm biased :-)

Cheers,
-Ryan


> Did you try http://pobs.mywalhalla.net/ ?




> > Hi there !
> >
> > I am curretly looking for suitbale solutions for encoding PHP scripts
> > after developing a couple of comercial applications in PHP.
> >
> > Has anybody made any experience with several encoders like IONCUBE,
> > SOURCEGUARDIAN, ZEND, etc... so far?
>
> Did you try http://pobs.mywalhalla.net/ ?
>
> ---
> "One who mix sports and patriotism is a barbarian"
> Email: rrjanbiah-at-Y!com
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
>

I like POB too but it's an obsfuscator. To fix your $email problem just do
a search for $2d4g3a5sd and change them all to $email.

An encoder would be Ioncube or Turck's mmcache but the server needs to be
installed with their software to run the encoded scripts. POB doesn't need
anything installed to run.


-----Original Message-----
From: Ryan A [mailto:ryan@coinpass.com]
Sent: November 20, 2003 12:29 PM
To: R. Rajesh Jeba Anbiah
Cc: php-general@lists.php.net
Subject: Re: [php] Re: PHP Encoders


Hi,
POBs is really good, but I have had some weird problems when encoding large
files, especially if you take out the line breaks in the options.
Another problem with POBS is that you can have your "config.php" file not
encoded with the rest of the files, since it changes your variables (eg
$email becomes something like $2d4g3a5sd) your $email variable is not
recognised in the rest of the program/s, which is quite a pain in the ass
explaining to a customer who just bought your software to enter the $email
variable in $2d4g3a5sd and their $blah variable in $234sdhk23 etc etc

I personally prefer CodeSecure from securecents.com at only 49$ but then,
i'm biased :-)

Cheers,
-Ryan


> Did you try http://pobs.mywalhalla.net/ ?




> > Hi there !
> >
> > I am curretly looking for suitbale solutions for encoding PHP scripts
> > after developing a couple of comercial applications in PHP.
> >
> > Has anybody made any experience with several encoders like IONCUBE,
> > SOURCEGUARDIAN, ZEND, etc... so far?
>
> Did you try http://pobs.mywalhalla.net/ ?
>
> ---
> "One who mix sports and patriotism is a barbarian"
> Email: rrjanbiah-at-Y!com
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
>

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

"Jerry" <eagleflyer2@lycos.com> wrote in message
news:t37mrvs5oth98femkgj9t52sgqkc6ipt37@4ax.com...

> I have always been a little bit reluctant to use obfuscators since the
> source code does not actually disappear and it should not be too
> difficult to find the correct patterns and algorythms to map and
> restore the scrambled code. One could possibly write a good piece of
> code that would do exactly that.

I don't know what you mean by "restore the scrambled code" after
obfuscation. The comments are gone, so no tool or person
can restore them without essentially simply guessing.
The identifier names are meaningless, and restoring them
to something sensible means you pretty have much have
to understand what the code is doing in order to choose
a good name.

So I don't think you can write a "tool" to do this at all.
(Another poster observed that you *can* use a tool
to reformat obfuscated text so its block structure is visible.
Our tool also can format and so can be used for that purpose too,
but the real value in the obfsucation is the removal of comments
and scrambling of names).

If you have a really small applicaiton, obfuscation won't "hide"
it very well. If you have a really big application, in our opinion,
the number of names that have to regenerated becomes pretty
daunting for would-be reverse-engineer.

> Instead the e.g. ioncube encoder really encodes the scripts and
> requires only one file (the "runtime-loader") to be uploaded along
> with the encrypted scripts onto the server to make the scripts
> executable. Since the scripts run as a compiled application they are
> even faster than unencrypted PHP scripts. So, this seems an
> interesting alternative to me.

"Encoding" the script doesn't prevent reverse engineering.
It just raises the effort level required to decode it.
(I'll cheerfully admit it raises it somewhat higher than
obfuscated source.)

Ultimately, if somebody wants to reverse engineer your code,
they can. So the real question is, what's enough protection?
Most people don't use a bank vault locks on their front door.
Deadbolts are good enough for the majority.

> Costs: Your obfuscator costs US$150.00. The ioncube encoder starts at
> US$199.00 Personally, I find it's worth the difference.

OK. Everybody makes their choice.

We chose to provide source obfuscation because while
you may have a customer for your PHP source code,
you can't always tell your customer what he must run on his server.
Of course, if your customer *wants* to run with a PHP compiler,
he can do that with obfuscated source, too, but now
it is his choice, not yours.

> What is your take on that?
> Thank you for your help and opinion.
>
> Jerry


--
Ira D. Baxter, Ph.D., CTO 512-250-1018
Semantic Designs, Inc. www.semdesigns.com

"Justin Koivisto" <spam@koivi.com> wrote in message
news:m5Mub.1063$Uz.32494@news7.onvoy.net...
> Jerry wrote:
> > I have always been a little bit reluctant to use obfuscators since the
> > source code does not actually disappear and it should not be too
> > difficult to find the correct patterns and algorythms to map and
> > restore the scrambled code. One could possibly write a good piece of
> > code that would do exactly that.
>
> Same here. In fact, the first step for this process would be to use
> something like:
> http://www.tote-taste.de/X-Project/beautify/
>
> Allowing the code to be easier to read and in a consistent format,
> making it easier to write a script for the rest.

X-Project/beautify explicitly claims it doesn't work on
all code. If you used it on obfuscated code, and it damaged
it, you'd have a heck of time understanding the result.

If you insist on this, you could use:
http://www.semdesigns.com/Products/F...Formatter.html
This does work for all PHP constructs, by virtue of being
a full PHP parser.

Having made the code nicely indented, however, you still have to guess
at whatever comments were lost, and you still have to reinvent meaningful
names for all the variables and functions. For tiny programs, you
can probably do this. For a program with several hundred variables
(how big are yours?) this is actually an immense amount of work.

And you can't "automate" the reconstruction of the comments or
the variable names. So this doesn't strike me as a great
deal of help. YMMV.

--
Ira D. Baxter, Ph.D., CTO 512-250-1018
Semantic Designs, Inc. www.semdesigns.com